Date: Thu, 23 Dec 2004 20:38:34 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 67606 for review Message-ID: <200412232038.iBNKcYe8078125@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=67606 Change 67606 by areisse@areisse_tislabs on 2004/12/23 20:38:30 Checkpoint work on updating policy. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/cleanvar.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/devd.te#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#7 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#8 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#6 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/dhcpc.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/rpcd.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/devd.fc#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/fsadm.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/logrotate.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/syslogd.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/types.fc#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#8 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/atrun.te#6 (text+ko) ==== @@ -32,3 +32,6 @@ allow atrun_t { var_at_jobs_t var_at_spool_t }:dir rw_dir_perms; allow atrun_t var_at_jobs_t:file { r_file_perms unlink }; allow atrun_t var_at_spool_t:file create_file_perms; + +uses_shlib(atrun_t) +allow atrun_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/cleanvar.te#5 (text+ko) ==== @@ -26,3 +26,4 @@ allow cleanvar_t fs_t:filesystem { getattr }; can_exec(cleanvar_t, bin_t) general_domain_access(cleanvar_t) #!!! +uses_shlib(cleanvar_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#6 (text+ko) ==== @@ -62,3 +62,5 @@ dontaudit getty_t staff_home_dir_t:dir search; r_dir_file(getty_t, sysfs_t) + +allow getty_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#2 (text+ko) ==== @@ -22,3 +22,5 @@ # for when /usr is not mounted dontaudit hostname_t file_t:dir search; + +allow hostname_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#7 (text+ko) ==== @@ -156,6 +156,10 @@ allow initrc_t var_lib_t:file rw_file_perms; allow initrc_t var_lib_t:file unlink; +# /var/db/entropy +allow initrc_t var_db_entropy_t:file { read write create }; +allow initrc_t var_db_entropy_t:dir { read add_name remove_name }; + # Create lock file. allow initrc_t var_lock_t:dir create_dir_perms; allow initrc_t var_lock_t:file create_file_perms; @@ -169,8 +173,8 @@ # Read and unlink /var/run/*.pid files. allow initrc_t pidfile:file { getattr read unlink }; -# Write to /dev/urandom. -allow initrc_t urandom_device_t:chr_file rw_file_perms; +# Write to /dev/random. +allow initrc_t random_device_t:chr_file rw_file_perms; # Set device ownerships/modes. allow initrc_t framebuf_device_t:lnk_file read; @@ -267,6 +271,10 @@ # allow making links in /dev allow initrc_t device_t:dir { add_name }; allow initrc_t device_t:lnk_file { create }; +allow device_t device_t:filesystem associate; + +# /var/.diskless +allow initrc_t var_t:dir { add_name remove_name rmdir create }; ################################# # ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#8 (text+ko) ==== @@ -110,6 +110,8 @@ # Update /var/log/lastlog. allow $1_t lastlog_t:file rw_file_perms; +allow $1_t self:fd { create use }; + read_locale($1_t) read_sysctl($1_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#6 (text+ko) ==== @@ -88,3 +88,5 @@ # allow access to klog allow syslogd_t klog_device_t:chr_file { poll read }; +# Use file descriptors +allow syslogd_t self:fd { create use }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/dhcpc.te#3 (text+ko) ==== @@ -80,7 +80,7 @@ allow dhcpc_t { userdomain run_init_t }:fd use; # Use capabilities -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config sys_admin }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/rpcd.te#3 (text+ko) ==== @@ -129,3 +129,8 @@ # for exportfs and rpc.mountd allow nfsd_t tmp_t:dir getattr; r_dir_file(rpcd_t, rpc_pipefs_t) + +# rpc.umntall +allow rpcd_t self:fd { create use }; +allow rpcd_t nfs_t:filesystem getattr; +#dontaudit rpcd_t fs_type:filesystem getattr; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unused/sendmail.te#4 (text+ko) ==== @@ -29,6 +29,8 @@ allow sendmail_t self:unix_dgram_socket create_socket_perms; allow sendmail_t self:fifo_file rw_file_perms; +allow sendmail_t self:fd { create use }; + # Bind to the SMTP port. allow sendmail_t smtp_port_t:tcp_socket name_bind; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/fsadm.fc#5 (text+ko) ==== @@ -19,7 +19,7 @@ /sbin/parted -- system_u:object_r:fsadm_exec_t /sbin/tune2fs -- system_u:object_r:fsadm_exec_t /sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t +/sbin/swapon -- system_u:object_r:fsadm_exec_t /sbin/hdparm -- system_u:object_r:fsadm_exec_t /sbin/raidstart -- system_u:object_r:fsadm_exec_t /sbin/mkraid -- system_u:object_r:fsadm_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/logrotate.fc#5 (text+ko) ==== @@ -7,3 +7,5 @@ /var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t # using a hard-coded name under /var/tmp is a bug - new version fixes it /var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t +# FreeBsd +/usr/sbin/newsyslog -- system_u:object_r:logrotate_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/syslogd.fc#5 (text+ko) ==== @@ -6,3 +6,4 @@ /dev/log -s system_u:object_r:devlog_t /var/run/log -s system_u:object_r:devlog_t /var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t +newsyslog XXX -- system_u:object_r:syslogd_exec_t ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/types.fc#5 (text+ko) ==== @@ -59,6 +59,7 @@ # A common mount point /mnt(/.*)? -d system_u:object_r:mnt_t /media(/.*)? -d system_u:object_r:mnt_t +/cdrom -d system_u:object_r:mnt_t # # /var ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/core_macros.te#3 (text+ko) ==== @@ -549,12 +549,10 @@ # Access the pty master multiplexer. allow $1_t ptmx_t:chr_file rw_file_perms; -ifdef(`devfsd.te', ` allow $1_t device_t:filesystem getattr; -') -allow $1_t devpts_t:filesystem getattr; # allow searching /dev/pts +allow $1_t device_t:dir { getattr read search }; allow $1_t devpts_t:dir { getattr read search }; # ignore old BSD pty devices @@ -572,7 +570,7 @@ type $1_devpts_t, file_type, sysadmfile, ptyfile $2; # Allow the pty to be associated with the file system. -allow $1_devpts_t devpts_t:filesystem associate; +allow $1_devpts_t device_t:filesystem associate; # Label pty files with a derived type. type_transition $1_t devpts_t:chr_file $1_devpts_t; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/macros/global_macros.te#8 (text+ko) ==== @@ -88,7 +88,7 @@ allow $1 { var_t var_run_t }:dir search; allow $1 lib_t:lnk_file r_file_perms; allow $1 ld_so_t:file rx_file_perms; -#allow $1 ld_so_t:file execute_no_trans; +allow $1 ld_so_t:file execute_no_trans; allow $1 ld_so_t:lnk_file r_file_perms; allow $1 shlib_t:file rx_file_perms; allow $1 shlib_t:lnk_file r_file_perms;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412232038.iBNKcYe8078125>